Last active
April 13, 2019 11:47
-
-
Save pingiun/85033d048206558cf6a46f2061e3624b to your computer and use it in GitHub Desktop.
The nixos configuration file I use to use mac.jelle.space for my macbook
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let | |
wireguardPort = 51820; | |
tunnels = [ { | |
ipv4Addr = { addr = "195.201.249.203"; suffix = 32; }; | |
ipv6Addr = { addr = "2a01:4f8:c2c:2b57::2"; suffix = 128; }; | |
wgPublicKey = "3WWr1zr3ry6KeAwr3Cw3mQsnBeLLUYs1DGa7iEwyAWA="; | |
} ]; | |
mkAddrWithSuffix = (x: "${x.addr}/${toString x.suffix}" ); | |
server = { config, pkgs, ... }: { | |
imports = | |
[ # Include the results of the hardware scan. | |
./hardware-configuration.nix | |
]; | |
# Use the GRUB 2 boot loader. | |
boot.loader.grub.enable = true; | |
boot.loader.grub.version = 2; | |
# Define on which hard drive you want to install Grub. | |
boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only | |
networking.hostName = "server.jelle.space"; # Define your hostname. | |
# Set your time zone. | |
time.timeZone = "Europe/Amsterdam"; | |
# List packages installed in system profile. To search, run: | |
# $ nix search wget | |
environment.systemPackages = with pkgs; [ | |
vim wireguard wireguard-tools | |
]; | |
boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; | |
# List services that you want to enable: | |
# Enable the OpenSSH daemon. | |
services.openssh.enable = true; | |
services.openssh.passwordAuthentication = false; | |
# Hetzner needs a static configuration for ipv6 | |
networking.interfaces.ens3.ipv6.addresses = [ { | |
address = "2a01:4f8:c2c:2b57::1"; | |
prefixLength = 64; | |
} ]; | |
networking.defaultGateway6 = { | |
address = "fe80::1"; | |
interface = "ens3"; | |
}; | |
# Enable proxying for the tunneling peers | |
networking.interfaces.ens3.proxyARP = true; | |
networking.wireguard.interfaces.wg0 = { | |
ips = [ "10.4.0.1/24" "fd00:4242:0:1::1/64" ]; | |
listenPort = wireguardPort; | |
privateKeyFile = config.deployment.keys.privkey-wireguard.path; | |
allowedIPsAsRoutes = true; | |
peers = | |
# Tunneled peers, defined in top of file | |
(map (p: { | |
publicKey = p.wgPublicKey; | |
allowedIPs = (map mkAddrWithSuffix [ p.ipv4Addr p.ipv6Addr ]); | |
}) tunnels) | |
++ | |
[ | |
{ | |
publicKey = "j1N3Ca5R6deUM1IBpfrdkdGVoPVERvIIhW2aN7NdNH4="; | |
allowedIPs = [ "10.3.0.0/16" ]; | |
endpoint = "213.124.166.73:51820"; | |
} | |
]; | |
}; | |
# Ip forwarding is needed for the tunnels | |
boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1; }; | |
networking.firewall.enable = true; | |
# Set to true by default, but included for expliciteness | |
networking.firewall.allowPing = true; | |
networking.firewall.allowedUDPPorts = [ wireguardPort ]; | |
# Needed for routing the tunnels? | |
networking.firewall.checkReversePath = "loose"; | |
# Immutable users are nice to have | |
users.mutableUsers = false; | |
users.users.jelle = { | |
isNormalUser = true; | |
description = "Jelle Besseling"; | |
extraGroups = [ "wheel" ]; | |
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICunYiTe1MOJsGC5OBn69bewMBS5bCCE1WayvM4DZLwE jelle@Jelles-Macbook-Pro.local" ]; | |
passwordFile = config.deployment.keys.password-jelle.path; | |
}; | |
users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN1hSb1eyjoKjqIqfqy9rwf1ubSjnrXGZjBwPbhlN0u1 NixOps client key for personal" ]; | |
# This value determines the NixOS release with which your system is to be | |
# compatible, in order to avoid breaking some software such as database | |
# servers. You should change this only after NixOS release notes say you | |
# should. | |
system.stateVersion = "18.09"; # Did you read the comment? | |
system.autoUpgrade.enable = true; | |
}; | |
in { | |
personal = server; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment